Got a fair amount of feedback, both through internal reviews and through this group

He did a pass at editing to address the common concerns

There are a number of organizations that wanted to get their legal teams involved

We’ve had a little bit of legal review so far

Might be worthwhile for him to re-review, go over edits

Third and fourth topics that have been the subject of active discussion

1) Best practices related to individuals, identity assurance as well as continuation of discussion from early in the project about use cases, provider to patient

2) Best practices relating to attachment sizes and virus scanning and the things that become part of normal e-mail processing requirements

Sentiment so far has been that it’s better to complete the two things in flight rather than take on new business

David McCallie

Do changes to the documents reflect some of the comments from the Standards Committee meeting?

Arien Malec

Did a review with Dixie on the privacy and security aspects of the two current specs, she will have the Privacy and Security WG of the Standards Committee review

Should probably wait until they conclude their review to make changes

David McCallie

Dixie has not formally asked the committee to review yet

Some of their questions do relate to best practice issues, and other questions just show that they still don’t quite understand what we are doing, which means we need stronger messaging

Arien Have 4 topics of discussion for this meeting

1) Certificate best practices

2) Where we are with the best practices for HISPs document

3) Feedback from the HIT Standards Committee in terms of addressing

4) Whether we want to take on additional best practices

Topic 1: Certificates best practices

We have the certificate handling best practices document, pretty well done

Has been reviewed a number of times, has gone through a couple sets of review, both with this group and through the Security and Trust WG

Next step would be for it to go to IG Consensus

Noted that the Security and Trust WG had two organizations that went on to do a separate review, so the document is not complete through the Security and Trust WG

Should complete as of today’s meeting (11/4)

Assuming the document passes through the Security and Trust WG, we could take two approaches

1) Keep essentially as a sub-IG consensus approved deliverable until Tiger Team has finished its conversation

2) Go ahead and get approved at IG level, understanding we may need to revise

Asked for any strong opinions

David McCallie

The fewer times we have to change things, the better

Would prefer waiting if changes are likely

It is such a complicated topic, seems like something will come up in review

Gary Christensen

Doesn’t have a strong opinion, but thinks decisions should be based on what the utility of the document is with respect to the other ongoing activities

If we think it is generally useful and generally right, we should make it available for folks to use

If we think it isn’t relevant to the ongoing activities, we can hold it for now

Don Jorgenson

Useful feedback, as a guide

Arien Malec

Can pass for now, and assuming it gets through the Security & Trust WG, can submit to full IG

They had put in a reference to NIST Level 2, and later felt it didn’t make sense

Would be better to say “equivalent to” rather than saying “NIST Level 2”

David McCallie

Thinks that is in the spirit of how NIST approaches things, not to be proscriptive, but provides examples

Has no trouble with

Has question about whether or not we should specify a NIST level at all, can come back to that question

<No other WG member had an issue with using “equivalent”> David McCallie

Question about using NIST at all

Standards for users connecting to an HIE

Should ONC require very specific credentialing to connect to an HIE?

In providers’ workflow, EMR, already on the hook to ensure that only the proper users have access to the EMR in the first place and that securities are in place so functions available to a provider match their role

Do we want to have an additional authentication step?

Or “if you are a provider authorized to use your system, you can use Direct?”

Arien Malec

We have language about that in the document already

David McCallie

That’s the spirit exactly—if you’ve already crossed that hurdle, you don’t have to go through additional steps

If coming into an isolated portal, it’s a different story

Arien Malec

Remembers Farzad Mostashari making the point that if I can change things but not send a message electronically, that seems silly

Don Jorgenson

Ultimately it is the issue Arien raised – we need to have vocabulary, terminology appropriate to describe what the levels of proofing and assurance are that can be applied to making the decision whether trust is appropriate, using NIST language or not

Arien Malec

That was the direction he was going in by using “equivalent with” or “consistent with”

Don Jorgenson

Thinks that’s fine for now,

Arien Malec

Thinks the Tiger Team will come out with recommendations that will go through the Policy Committee and be part of a governance process

David McCallie

Initial focus is on entities authentication rather than individual, but the Tiger Team discussion will likely move to individual level

Arien Malec

Current recommendations talk about organizations

Second topic: Best Practices for HISPs

Current status is there are a number of organizations that requested an extension of the review to get legally reviewed

Couple instances where additional legal review is needed

Kryptiq, Surescripts, requested additional legal review

Did one pass with MedPlus/Quest Diagnostics

He will reach out to Surescripts and Kryptiq

He made changes

He took out language about it not covering individuals, wasn’t necessary

Examples of why BAAs might not be explicitly required, if contractee is not a covered entity

Changed “PHI” to “PII”

Noted that when he mentioned “equivalent protection” in cases where the organization is not a covered entity, then organizations that are HISPs to that organization will not be BAs under the terms of HIPAA

Noted in the recommendations that either you need to be an individual covered entity and therefore a BA as covered by HIPAA or else have a equivalent and contractual agreement

Deven pointed out you can’t ever be equivalent b/c don’t have enforcement powers

Question, someone asked if we had discussed or been approached about Homeland Security Patriot Act-like implications of the way we are doing encryption

Arien Malec

We will know we are successful when we get questions like that

David McCallie

Would prefer not to worry about this issue, but do we have to? Richard Marks, HIPAA lawyer asked, used to work for the NSA

Arien Malec

Third Topic: Discuss feedback from HIT Standards Committee

Most of the feedback was not relevant, was an odd meeting

“Why did you choose REST?”

“Is this simple enough?”

“Why do you keep mentioning XDR?”

Asked David to help summarize

David McCallie

Covered one class of questions that came up, “it’s too complicated” on the one hand, and on the other,” it is too complicated, why do you keep using XDR, XDM?”

Did a good job of addressing questions, people weren’t really asking as much as making a point

No critical issues other than our continued need to communicate exactly what we are doing

Second set of issues from Dixie Baker, misunderstanding how our security model works

Potential for inadvertent exposure of patient data at HISP that we haven’t accounted for

She is failing to recognize that we are treating the HISP as a BA, and expect the same best practices around PII that we would if they were hold an EHR

Can encrypt the desktop, if they choose to do so

Arien Malec

In private discussion she also raised whether the specs themselves cover audit or the requirement to audit

That may come up during the workgroup review

Thinks the next step is for Dixie to request a workgroup review

David McCallie

There is still a lack of understand what we are doing

He used the current slide set about two weeks ago

We are missing a knock-out visual that shows the data flows; we have all the right words, but you can’t point and show where the doctor sits, where the HISP sits, here is where it gets encrypted, here is where it gets decrypted

Arien Malec

Thinks the visual should cover HISP agent model as well as the pure routing model

David McCallie

Right, so two pictures, Option One and Option Two

There is a gap in understanding, not a gap in design

Arien Malec

Asked for comments on Standards Committee review if anyone heard

David McCallie

Dixie made the assertion that the Standards Committee made recommendations and Direct ignored them all, but Arien addressed those concerns well

Arien Malec Fourth topic—New areas of focus

Asked whether there is any energy to take on best practices related to two other wants and needs from the implementation geographies

1) Identity assurance for patients, bilaterally

2) Bp related to attachment handling

He’s unable to work on himself

David McCallie

Asked if a PHR is participating in a pilot

Arien Malec

Yes

David McCallie

Would they have an approach to handle consumers that might be participating?

Individuals using the system who aren’t providers

Would Microsoft or anyone else by facing this issue?

Arien Malec

This topic has also been a lot of interest to Rich Elmore

Asked Gary if he feels he has appropriate best practices for this issue

Are they involving individuals in their pilot?

Gary Christensen

Was just about to say that he would put the consumer/individual issue below the attachments issue

Because initial user groups will likely be doctors, not individuals

We’re not focused on that yet

David McCallie

Just doesn’t want to ignore the individuals issue, so folks with a vested interest in approaching consumers should drive this conversation

Arien when advice on individuals would be needed

Don Jorgenson

Sometime, but there is no sense of urgency yet

Have ability to send any kind of messaging

Not an issue in the pilot early on, he’s fine with deferring for a little while

Microsoft, PHR vendors

David McCallie

Discussion on size of message, back when initially debating

essentially not allowed through public SMTP channels

Debated notion that they could pick arbitrarily large message size and set as practice

Now perfectly feasible that S/MIME could go over standard mail channels

We cannot guarantee the size

Arien Malec

Have people who want to use same transactions for claims attachments

CMS is planning on massive file sizes

Gary Christensen

Asked Don if questions came up in the working group

Don Jorgenson

Thinks it’s an implementation and capability issue for service provider rather than a best practices issue

Probably should steer clear of at this level

Gary Christensen

Are there any things that say that’s a good question, we should get consensus on it?

Or else if we aren’t hitting up against it in our pilot, we don’t need best practice guidance yet

Don Jorgenson

Might double check with Pat Pyette

David McCallie

Can’t guarantee every gateway will handle an arbitrarily large file

Don Jorgenson

Depends on the implementers, if we get into how to resolve, how do we discover, that’s a different issue

David McCallie

Not sure it is technically possible to guarantee an arbitrarily large size

Would be an implementation’s decision

Would fit in a best practices document, could set limit

Would want to talk to more of an SMTP expert

Gary Christensen

Besides size, are there any other issues?

Arien

Requirements about whether every HISP must provide virus screening services, for example

Hearing lots of good discussion, but no one signing up to write first draft

John Williams

What about addressing other security considerations?

Arien Malec We do require compliance with HIPAA security rules John Williams

Would like to see expansion on that

Seems like a starting point

Arien Malec

Ends up being much more detailed

At a high level right now for best practice perspective, at the next level down we would need security officers involved to look at scanning, protection, policies for open ports, etc.

Will ask Rich Elmore, Janet Campbell, Sean Nolan and possibly someone from Google if they want to work on individuals

Thinks there is a set of known patterns on how to do this, thinks someone could write the first draft quickly